A marked uptick in activity for Indonesian phishing-as-a-service group SPM55 has researchers at threat intelligence firm DomainTools sounding the alarms. 

The up-and-coming SPM55 targets a number of popular services, tech companies and financial institutions, including Coinbase, Netflix, Amazon and Ebay. Its client base is spread out across the globe, with customers identified in Nigeria, Pakistan and other areas historically associated with phishing activity, according to a press release.

Activity over the last several months suggests SPM55 seeks to scale its business operations and a willingness to pivot based on customer feedback, DomainTools researchers wrote on its blog. With the collapse of other phishing-as-a service groups, SPM55 offers a la carte credit card checkers and account validators frequently used for phished credential and payment data validation. 

“Phishing-as-a-service offerings are a significant nexus of phishing attacks, facilitating the ability for a host of actors to continually attack global brands and their customers,” said Sean McNee, DomainTools’ chief technology officer, in a prepared statement. “DomainTools researchers recently identified SPM55 as an up-and-coming offering that has already garnered a significant following and actor base in criminal forums and other venues. Monitoring for lookalike domains can help security teams identify and disrupt malicious campaign infrastructures and protect their companies against these kinds of attacks.”

With phishing remaining the most common vector for account takeover and account fraud activity for many large organizations, DomainTools said SPM55 is a criminal group that organizations should keep tabs on to defend itself and their customers against.